Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.
CWE-795 Base Incomplete
Only Filtering Special Elements at a Specified Location
This vulnerability occurs when a security filter only checks for dangerous input patterns at specific, predefined locations within the data. It fails to scan the entire input stream, allowing…
Definition
What is CWE-795?
This vulnerability occurs when a security filter only checks for dangerous input patterns at specific, predefined locations within the data. It fails to scan the entire input stream, allowing malicious elements that appear outside the expected location to pass through and potentially harm downstream components.
Imagine a filter designed to remove semicolons, but it only checks the very beginning of a user-supplied string. An attacker can simply place the semicolon later in the input—for example, in the middle or at the end—to bypass the filter entirely. This creates a false sense of security because the filter is active, but its limited scope leaves the application exposed to the very attacks it was meant to prevent.
This often happens when validation logic uses functions that only look for special characters at absolute positions (like 'byte 10') or relative to markers (like 'the second argument'). Developers must ensure their input sanitization processes perform a comprehensive check across the entire data payload, not just a single, predictable spot. The core failure is a logic error in the filter's design, not the absence of a filter.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-795
Bisher sind in MITREs Katalog keine öffentlichen CVE-Referenzen mit dieser CWE verknüpft.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
- 2
Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as:
- 3
will have the first "../" stripped, resulting in:
- 4
This value is then concatenated with the /home/user/ directory:
- 5
which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-22).
Verwundbares Codebeispiel
Vulnerable Perl
The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
my $Username = GetUntrustedInput();
$Username =~ s/^\.\.\///;
my $filename = "/home/user/" . $Username;
ReadAndSendFile($filename); Angreifer-Payload
Since the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as:
../../../etc/passwd Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-795
- Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
- Implementation Validate input at trust boundaries; use allowlists, not denylists.
- Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
- Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
- Operation Monitor logs for the runtime signals listed in the next section.
Erkennungssignale
How to detect CWE-795
Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.
Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.
Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.
Plexicus erkennt CWE-795 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-795?
Wie gravierend ist CWE-795?
Welche Sprachen oder Plattformen sind von CWE-795 betroffen?
Wie kann ich CWE-795 verhindern?
Wie erkennt und behebt Plexicus CWE-795?
Wo erfahre ich mehr über CWE-795?
Frequently asked questions
Was ist CWE-795?
This vulnerability occurs when a security filter only checks for dangerous input patterns at specific, predefined locations within the data. It fails to scan the entire input stream, allowing malicious elements that appear outside the expected location to pass through and potentially harm downstream components.
Wie gravierend ist CWE-795?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-795 betroffen?
MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.
Wie kann ich CWE-795 verhindern?
Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.
Wie erkennt und behebt Plexicus CWE-795?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-795 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-795?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/795.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-795
CWE-791 Parent
Incomplete Filtering of Special Elements
This vulnerability occurs when an application accepts data from a source but fails to properly clean or neutralize all special characters…
CWE-792 Sibling
Incomplete Filtering of One or More Instances of Special Elements
This vulnerability occurs when an application receives external data but fails to properly neutralize all instances of potentially…
CWE-796 Child
Only Filtering Special Elements Relative to a Marker
This vulnerability occurs when software filters dangerous inputs or characters, but only checks for them in specific, expected locations…
CWE-797 Child
Only Filtering Special Elements at an Absolute Position
This vulnerability occurs when software checks for dangerous characters or patterns only at a fixed, hardcoded location in input data.…
Ressourcen
Further reading
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.